Buffer overflows in telnet

According to the bulletins published here and here by iDEFENSE, two buffer overflow vulnerabilities have been detected in various implementations of the telnet client, including Sun Solaris and MIT Kerberos implementations, which could be exploited to compromise systems.

The functions affected by these buffer overflow vulnerabilities are slc_add_reply() and env_opt_add(). Remote exploitation of these buffer overflows could allow the execution of arbitrary code with the same privileges as the user that started the telnet client.

These attacks can be mitigated, as for the attacks to be successful, the victim user must connect to the attacking server and due to the characteristics of the telnet service, users normally connect to trusted servers.

However, it may be possible to cause the telnet client to automatically connect to a certain server by simply viewing a web page that includes a connection link, increasing the risk of falling victim to this type of attack. The attacker could send the malicious web page via email or trick the user into viewing it.

The vulnerability specifically exists in handling of the LINEMODE suboptions, in that there is no size check made on the output, which is stored in a fixed length buffer. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, it is possible to overflow this buffer with server supplied data.

Craig has over 25 years of Technology Consulting experience including 10 years in Project Leadership roles. He has extensive background working with large scale, high-profile systems integration and development projects that span a customer’s organization, and experience designing robust solutions that bring together multiple platforms from Intel to Unix to Mainframe technologies with the Internet.